Anomaly

By cliangNo Comments
Observations are basis in any informed-assessment to understand if operations are compliance to rules & regulations meeting the expected standards. Observations are used to support the finding in the report. They can be in the form of screenshots, photo, configuration files in plain text. When you find anomalies, what is your first respond? You have to double check if it is a false positive first. If it is valid, then check if exception process has been granted with valid reason and appropriate level of approval. That is not yet the end. A more responsible cybersecurity practitioner or auditor shall also look at the effectiveness of the written directive - if they are reasonable and practically achievable. This is the hard part because it might outside the scope of assessment, or the assessor solely bases on the book. In any cases, policy maker should look at the report and rethink if the written directives are too tight, too rigid in killing the business. Bear in...
Read More

Obsolescence

By cliangNo Comments
One of the biggest challenges in OT (Operation Technology) system is the technology obsolescence. Here, we are not talking about the machinery part but the controller part. A typical machine (or plant) have 2 major portions: machinery (e.g. motor, valve) and C&I. Nowadays the traditional C&I are replaced by commodity hardware/software because they are readily available from the market. The pain point exists. Technology product lifecycle is shorter than the machinery. Most often, those micro-processor controller enters into end of support state because the OEM of the embedded OS platform, applications will not fix any public known vulnerabilities as they do have support policy to entertain only the latest few versions. From system reliability perspective, support is important but from cyber security perspective, end of support is not the end of the world. As long as the "system" is still running, there is no means to upgrade because of the fear of hypothetical cyber attack. The plant room in the illustration shall host those...
Read More

Access Path

By cliangNo Comments
A path is required at the barrier or perimeter for a number of reasons: reachability to/from destination with legitimate needs such as logistics, transport etc. In cyber world, network perimeter device protects the inside zone from outside but "holes" are still required. A common example is the access to the web site from outside. How do we stay secure? It requires orchestration from different aspects: configuration hardening, access control to resources, incident respond, resilience, regular security updates, situation awareness and most important an achievable cyber security policy to mandate all these are in place. ...
Read More

In The Cloud

By cliangNo Comments
We always hear people telling everything is now in the Cloud. Precisely, this is somehow incorrect. Even though there are IaaS, PaaS, SaaS etc., there are physical equipment on SOMEBODY's premise to serve the client. It is just the client has only a very slim footprint - likely a physical device with web browser connecting to the Internet for all the services (infrastructure, platform, software) required in the Cloud. When we develop written directives, don't be influenced by jargons. We need to have a holistic view to stipulate precise generic while certain situation precise specific rather than putting a case-by-case assessment. This will end up no policy at all. ...
Read More

Perimeter #3

By cliangNo Comments
One of the key controls in cyber world is the ingress/egress points to the network. Without sufficient control, threat actors are able to penetrate inside causing system or service disruption anywhere anytime. On top of network aspect, controlling of physical access to the equipment is also important. In physical world, establishing physical perimeter is far more challenging than that in the cyber world. Three are "proper" means to reach a region and multiple "improper" means to do the same. Effective control is proper policy for "illegal" entry. ...
Read More

Shared Responsibility

By cliangNo Comments
Source AWS Security Day 2025 I saw some awareness posters that cyber security is a shared responsibility. No doubt each of us plays a different and important roles to protect the cyber space. But putting a slogan like this without any elaboration will be unwise. We never know who to do what and eventually no one takes accountability. The shared responsibility must be well defined somewhere with easy access from audience. Examples are: Senior Management supports and sponsors necessary cybersecurity resources Technical Teams secure the digital assets throughout their life cycle General Users follow the good practices published by reputable internal subject matter expert The AWS model is a good example. [ [Disclaimer: Not recommendation, critique, nor having association, affiliation with AWS.] ...
Read More

Policy #12

By cliangNo Comments
In the illustration, there is implicit EXCEPT WITH PERMIT in real life. However, the bilingual "except's" are inconsistent.The Chinese version is except just bi-cycles. The English version is cycles. There are variations of "cycles": bi-cycle, tri-cycle, motor-cycle. This will create confusion for enforcement and compliance. A better version should be "Except non-motor vehicles". So, bi-cycle, tri-cycle, trolley, scroller are all allowed. This is precise generic. ...
Read More

Policies #11

By cliangNo Comments
Policies are rules. They stipulate what are allowed and what not. Good policies must be practically achievable and enforceable, not too strict and not too loose - this is the hard part. Too strict will incur policy exception and too loose will make the policy a decorative statement in the sign board. Writing good cybersecurity policies will require these as foundation: The policy maker must understand the business model, what outcomes to be delivered What are the risk appetite the organization willing to take, after all, there won't be 100% secure business in the world How the requirement shall enable the business securely but not prohibit innovations, we are living in digital transformation era and everything is going inside cyber What are peers or the industry doing, is the bar setting too high or too low That said, don't just apply textbook knowledge but listen to business units what will work and what not. Strike the right balance with 80/20 rule. ...
Read More

Security By Trust

By cliangNo Comments
In physical world, we trust this glass roof is safe and secure to walk on because there are underlying processes to sustain its safety: Regular inspection and maintenance Regulatory requirement for license issue and renewal 3rd party insurance etc. In addition in building this infrastructure, the design will cater for the intended loading with safety margin, wind speed, anchor points stability plus build it per engineering standard to ascertain the quality. We will therefore have no doubt and trust these arrangements are in place and safely step on it. In cyber world, things are different. There might be cybersecurity standards as foundation but the design and build will require competent practitioners. Even there is comprehensive verification tests before commissioning, there are always new cyber threats requiring recurring effort to sustain the protection effectiveness. Deception to lurk victim into malicious web site to compromise the device or application will further complicate the situation. Then, how do we stay secure in the cyber world? It's a very...
Read More

Responsibility

By cliangNo Comments
I saw certain cyber security awareness poster has stated that keeping cyber secure is a shared responsibility. In certain way, this is true. Each of us plays a different part to protect the assets in the digital world. But "shared responsibility" appears as no one will take accountability and any one will think someone will take the lead to secure. In the illustration, you are responsible to well equip yourself to enter into the wild. You are well informed "You must be properly prepared to meet these hazards on their own terms. This is your responsibility." That should apply to the digital world and "shared" responsibility isn't the proper term and tone. ...
Read More